Out of interest in the hives you have is a serial number recorded anywhere or do you believe that a USB storage device was installed without a serial number being registered? If they are sample hives rather than a users actual hives I would love look at them.

The hives in question are from my own system...I've connected several devices to it...specifically, a digital camera and my iTouch...that do not show up under the USBStor key. They do have serial numbers, so it's not a matter of whether or not a serial number was registered.

I think that questions raised by your dissertation can be addressed by taking another look at the process for not only determining devices that were connected to the system, but also for determining which user had access to those devices.

Thanks for coming back on my question. I can't comment on the digital camera as I don't know enough about it and probably wouldn't have that model here anyway. However I do have several ipods, both iOS and non iOS. It is my experience that the non iOS ipods have an option to "enable disk use" so that you can mount them and store files on them. These devices when disk enabled, do show up in USBstor. The iOS ipods & iphones I have don't give this option and don't show up as a storage device or mount as an explorer volume, hence no entry in USBstor. I know that there are utilities around that will let you mount iOS devices, to date I haven't tested them but I think in order for explorer to see them they would probably need to mount in the conventional way and would have an entry in USBstor.

I suppose where I'm going with this is, if I connect a USB keyboard or headset I'll get an entry in Enum\USB. However if I attempt to mount a device for storage via Windows explorer, I would expect an entry in USBstor. Out of interest did you attempt to download/upload a file to your ipod touch without using itunes? That would be really interesting if you have done that without mounting the drive? I think I have seen something about using itunes file sharing to sync data that was made to look as if it was from specific apps, tracking this would have been outside the scope of my research though.

Do you know if any MTP device registry parsers exist? It would be interesting to pull all the MTP pieces from the registry and correlate them. I think there is data in Windows Portable devices along with Enum\USB on MTP devices and I'm sure other areas and device specific logs too. Still that's a whole other day's work......

Do you know if any MTP device registry parsers exist? It would be interesting to pull all the MTP pieces from the registry and correlate them. I think there is data in Windows Portable devices along with Enum\USB on MTP devices and I'm sure other areas and device specific logs too. Still that's a whole other day's work......

It seems like in windows 7 the good MS guys have somehow "expanded" the protocol, with their "Device Experience" so it is possible that there is an additional set of data coming from a "responder" (if the peripheral/device also runs 7 in the "compact" version), see:blogs.windows.com/wind...dated.aspx
(though the images seem like being not anymore accessible, as well for the "main" page that now redirects to the "new, improved" Windows 8 Device experience)

I seem to find not (beside an actual parser) some good description/documentation about the whole set of registry keys affected by the connection of a (USB) MTP device and related drivers, it is like the whole Forensics community is ignoring this.
I could only find this "passing by" reference on the whole forum:www.forensicfocus.com/...4/start=0/

It could be a good topic for a new research/thesis....

jaclaz
_________________- In theory there is no difference between theory and practice, but in practice there is. -